CVE-2006-0549: SQL injection vulnerability in the SYS.DBMS_METADATA_UTIL package in Oracle Database 10g, and possibly earlier versions, might allow remote attackers to…

CVE-2006-0549 [CRITICAL] GHSA-ff55-4qfm-2hmv: SQL injection vulnerability in the SYS SQL injection vulnerability in the SYS.DBMS_METADATA_UTIL package in Oracle Database 10g, and possibly earlier versions, might allow remote attackers to execute arbitrary SQL commands via unknown vectors. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DB05 from the January 2006 CPU, in which case this would be subsumed by CVE-2006-0260. However, there are some inconsistencies that make this unclear, and there is also a possibility that this is related to DB06, which is subsumed by CVE-2006-0259.

CVE-2006-0549 Oracle 9i/10g DBMS_METADATA.GET_DDL - SQL Injection (2) Oracle 9i/10g DBMS_METADATA.GET_DDL - SQL Injection (2) --- #!/usr/bin/perl # # Remote Oracle DBMS_METADATA.GET_DDL exploit (9i/10g) # - Version 2 - New "evil cursor injection" tip! # - No "create procedure" privileg needed! # - See: http://www.databasesecurity.com/ (Cursor Injection) # # Grant or revoke dba permission to unprivileged user # # Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0" # # REF: https://www.securityfocus.com/bid/16287 # # AUTHOR: Andrea "bunker" Purificato # http://rawlab.mindcreations.com # # DATE: Copyright 2007 - Fri Feb 26 12:32:55 CET 2007 # # Oracle InstantClient (basic + sdk) required for DBD::Oracle # # bunker@fin:~$ perl dbms_meta_get_ddlV2.pl -h localhost -s test -u bunker -p **** -r # [-] Wait... # [-] Revoking DBA from BUNKER... # DB

CVE-2006-0549 Oracle 9i/10g - DBMS_METADATA.GET_DDL SQL Injection Oracle 9i/10g - DBMS_METADATA.GET_DDL SQL Injection --- #!/usr/bin/perl # # Remote Oracle DBMS_METADAT.GET_DDL exploit (9i/10g) # # Grant or revoke dba permission to unprivileged user # # Tested on "Oracle Database 10g Enterprise Edition Release 10.1.0.3.0" # # REF: https://www.securityfocus.com/bid/16287 # # AUTHOR: Andrea "bunker" Purificato # http://rawlab.mindcreations.com # # DATE: Copyright 2007 - Fri Feb 23 12:32:55 CET 2007 # # Oracle InstantClient (basic + sdk) required for DBD::Oracle # # # bunker@fin:~$ perl dbms_meta_get_ddl.pl -h localhost -s test -u bunker -p **** -r # [-] Wait... # [-] Revoking DBA from BUNKER... # DBD::Oracle::db do failed: ORA-01031: insufficient privileges (DBD ERROR: OCIStmtExecute) [for Statement "REVOKE DBA FROM BUNKER"] at dbms_meta_get_ddl.pl line

CVE-2006-1494 [LOW] CVE-2006-1494 PHP tempname open_basedir issue CVE-2006-1494 PHP tempname open_basedir issue An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0549.html

CVE-2005-2933 [HIGH] CVE-2005-2933 imap buffer overflow CVE-2005-2933 imap buffer overflow +++ This bug was initially created as a clone of Bug #169953 +++ iDEFENSE has reported a buffer overflow in the wu-imap server: http://www.idefense.com/application/poi/display?id=313&type=vulnerabilities An authenticated user can request a mailbox with a specially crafted name which will overflow a buffer. Discussion: An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2006-0549.html